Android User Data Easily Stolen

Researchers have discovered that most Android devices have holes through which personal data can be snagged by hackers.

(click image for larger view)

Slideshow: Motorola Xoom Teardown: Inside The New Android Tablet

The weak link when it comes to security on Android devices, say University of Ulm researchers, is the ClientLogin authentication protocol when used on open Wi-Fi networks. This tool is used to authenticate user account details with the Android Market and Google services. It passes the authToken via secured https connections. The problem is the returned authToken, which can remain valid for up to two weeks. When used on insecure http networks, hackers can sniff out the authToken and then use it to access personal data.

The personal data that's left hanging in the breeze is calendar information, contact data, and private Web albums. The researchers note that this means ne'er-do-wells can "view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

Who does this affect? The researchers tested the authentication protocol across Android versions 2.1, 2.2, 2.2.1, 2.3.3, 2.3.4, and 3.0 across a wide range of handsets, including the HTC Nexus One, HTC Desire, HTC Incredible S, and the Motorola Xoom. Any device running an Android version 2.3.3 and older is more or less wide open. This means 99.7% of all Android phones, according to the most recent statistics from Google (very few devices have been updated to Android 2.3.x yet).

The 2.3.4 system update to Android adds https support for calendar and contacts authentication requests, but leaves Picasa requests still open to attack.

The vulnerability in question applies not just to Google-developed Android applications, but third-party applications as well. Essentially, any app that uses Google's services and the ClientLogin protocol over http rather than https is fair game.

Obviously, leaving this type of data unsecured could be problematic for anyone, but even more so for enterprise users of Android devices. Fortunately, there are some things that can be done to help prevent data theft.

First and foremost, don't use open Wi-Fi networks at all. Use cellular data and, if Wi-Fi is necessary, connect only to protected access points. End-users also can switch off the automatic syncing tools (when using Wi-Fi) in the settings menu. These are relatively easy changes that will provide at least a modicum of protection before a more permanent fix is developers.

As for a permanent fix, updating devices to Android version 2.3.4 is necessary, but that won't be an easy step to take. Generally, even minor system updates are only available from wireless network operators and handset vendors. Given the absolute lack of Android 2.3 on most devices, the probability that you'll be able to update your workforce to Android 2.3.4 in the near future is slim to none.

Beyond these steps, it is up to Google and Android developers to solve this security problem.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.